• Leigh Payne

Asking Employees About Their Vaccination Status

The vast majority of the UK population (nearly three quarters of those over 16) has now been ‘double vaccinated’, and the government has lifted the guidance that everyone should work from home unless it is impractical to do so. This means that over the next few weeks, thousands, if not millions of employees will be returning to workplaces for the first time in many months.

At the time of this welcome news first hitting headlines, employers will have been hoping for a relatively smooth transition of employees from their homes back to office-based working. In most cases, this will either be a full time ‘return to office’ or even part-time where employers have seen the benefit of having a permanently agile workforce. However, the rise of the Delta variant (with increasing numbers of COVID cases) means that employers may well now be exercising more caution than originally needed about allowing employees back into the workplace. This is especially true if employees haven’t been vaccinated - depending on the type of work that is carried out on site. It therefore becomes significantly more important for employers to hold accurate information on who has – or has not - been vaccinated. This will mean asking employees about their vaccination status – a seemingly logical step but one which is not without ramifications of its own, particularly concerning the question of data protection.

It is not necessarily unlawful to hold details of vaccination status. However, employers are required to take several preparatory steps to ensure the legality of this data processing.

What needs to be done

The first thing that employers must consider when deciding whether to check the vaccination status of employees is what this move is intended to achieve. This will focus the employer’s mind on whether a justification can be advanced for the proposed gathering of information.

If a definitive use for the information cannot be identified and instead the employer is collecting it ‘just in case’, then it is unlikely that they can justify doing so. The same is true if the employer can reach the same identified goal without this particular data. In either situation, it is unlikely that the employer will have a lawful basis.

Alternatively, if a justification can be made for implementing a vaccination status system, then there is a requirement to be open and transparent about it. This means that everyone must be made aware of the reason for collecting the information and what the employer intends to do with it before any processing even takes place.

Circumstances alter cases

Even if there is the appearance of similarity between organisations, there is no one-size-fits-all justification that can be adopted by every employer, simply because the law will not permit it. Every organisation has a duty to identify the relevant factors and make an individual determination as to its own needs. Factors influencing the reasons for checking vaccination status will vary greatly depending on such variables as the sector, the type of work carried out by employees, and the Health and Safety risks present in the workplace. If employees work in areas or roles where they are more likely to encounter someone who has contracted COVID, or could pose a risk to clinically vulnerable individuals, then the employer may have more of a justification for gathering information on vaccination status. That being said, it would still be hard to justify keeping vaccination status results on record merely for the purposes of routine monitoring – the information must be needed to put to specific use.

Special category data

Since a person’s vaccination status falls within the scope of ‘special category data’ for data protection purposes, an employer who gathers this data must ensure that it is processed in accordance with the Data Protection Principles (as with any personal data) but it will also require protection above and beyond ordinary data. An Article 9 condition for processing must also be identified. These are:

(a) Explicit consent

(b) Employment, social security and social protection law

(c) Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims and judicial acts

(g) Substantial public interest conditions

(h) Health or social care

(i) Public health

(j) Archiving, research and statistics

The most likely appropriate conditions for processing of data regarding vaccination status are b) employment or i) public health. If an employer determines that, on assessment, the public health condition is the most relevant, then they will need to use a health professional to carry out the processing or let affected people know that the vaccination status will be treated as confidential and would be disclosed only in specific circumstances.


The GDPR is clear in when it will apply in certain circumstances. For example, if an employee proffers a vaccination card to their employer to prove that they have been vaccinated then the employer viewing that information will not constitute ‘processing’ and will therefore not be caught by the GDPR. However, if the employer then records that information in notes (either hard copy or on a computer system) then that is ‘processing’ and therefore will be caught by the GDPR.

It is important to recognise when the GDPR will apply in order not to fall foul of the law.

How the information should be used

When the employer makes use of the information collected, the ICO (Information Commissioner’s Office) Guidance requires that employees should not be treated unfairly or in an unjustified way as a result. The information should only be used for the purposes that are stated in the privacy notice.

When recording the information that has been collected, the GDPR requires that it is done accurately. It is also a requirement that the collection and, more importantly, storage of the information is secure.

ICO Guidance states that the duty of confidentiality should be respected, and vaccine status should not be routinely disclosed unless there is a legitimate and necessary reason.

It should also not be kept for longer than needed. For most employers, a simple check of vaccination status would be all that was required and there would be no reason to keep the information. Any retention of records would need to be justified (and the threshold for justification is a high one).

If the use of the information is likely to put the individuals concerned at high risk of a negative consequence or outcome, for example loss of employment, or denial of access to job opportunities, then the employer will need to draft a Data Protection Impact Assessment.

Review of policies and practices

If the past 18 months have taught us anything, it’s that government guidance can change, often almost overnight. It then follows that the amount and type of information that employers feel they need now may well alter significantly over (often) a short period of time depending on the latest government line. Employers therefore need to monitor both government guidance and scientific advice as it is updated and review their policies and procedures as often as new guidance is issued to ensure continued compliance with the law.